From: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Date: Mon, 26 Oct 2020 12:34:18 +0000 (+0100)
Subject: [COMMON] Add TLS for Ingress configuration
X-Git-Tag: 7.0.0~65^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F35%2F114235%2F2;p=oom.git

[COMMON] Add TLS for Ingress configuration

Instead of setting TLS termination at POD level, it may be interesting
to terminate it at Ingress level.
This patch add the ability to do that using "Ingress" templates.
In order to achieve it, you need to configure it this way in
`values.yaml`:

```yaml
ingress:
  enabled: false
  service:
    - baseaddr: 'my-endpoint'
      name: 'my-service'
      port: 8080
  config:
    tls:
      secret: my-service-ingress-certs
```

Secret (here `my-service-ingress-certs`) must follow Kubernetest
`kubernetes.io/tls` type: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Issue-ID: SO-3078
Issue-ID: SO-3237
Issue-ID: OOM-2609
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I76c0929d53289a581bc26d0d03cc8b9bd72d0fd1
---

diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl
index 6b4f0ed36e..e57d4bedaa 100644
--- a/kubernetes/common/common/templates/_ingress.tpl
+++ b/kubernetes/common/common/templates/_ingress.tpl
@@ -1,19 +1,28 @@
+{{- define "ingress.config.host" -}}
+{{-   $dot := default . .dot -}}
+{{-   $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}}
+{{-   $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}}
+{{ printf "%s.%s" $baseaddr $burl }}
+{{- end -}}
+
 {{- define "ingress.config.port" -}}
+{{-   $dot := default . .dot -}}
 {{- if .Values.ingress -}}
 {{- if .Values.global.ingress -}}
 {{- if or (not .Values.global.ingress.virtualhost) (not .Values.global.ingress.virtualhost.enabled) -}}
   - http:
       paths:
 {{- range .Values.ingress.service }}
-        - path: {{  printf "/%s" (required "baseaddr" .baseaddr) }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+        - path: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
           backend:
             serviceName: {{ .name }}
             servicePort: {{ .port }}
 {{- end -}}
 {{- else if .Values.ingress.service -}}
-{{- $burl := (required "baseurl" .Values.global.ingress.virtualhost.baseurl) -}}
 {{ range .Values.ingress.service }}
-  - host: {{ printf "%s.%s" (required "baseaddr" .baseaddr) $burl }}
+{{ $baseaddr := required "baseaddr" .baseaddr }}
+  - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
     http:
       paths:
       - backend:
@@ -95,7 +104,18 @@ spec:
 {{- if .Values.ingress.tls }}
   tls:
 {{ toYaml .Values.ingress.tls | indent 4 }}
-  {{- end -}}
+{{- end -}}
+{{- if .Values.ingress.config -}}
+{{- if .Values.ingress.config.tls -}}
+{{-   $dot := default . .dot -}}
+  tls:
+    - hosts:
+    {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }}
+        - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }}
+    {{- end }}
+    secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}